business continuity planning (bcp) master depository book ... book a... · the current 2009 plan...

Business Continuity Planning (BCP) Master Depository

Book A : REFERENCE DOCUMENTS

Section 3 : METHODOLOGY

Chapter 5 : Internal Control Questionnaire of CO's BCP audit

( THE CALIFORNIA STATE UNIVERSITY OFFICE OF THE UNIVERSITY AUDITOR

BUSINESS CONTINUITY AUDIT

\ ~

INTERNAL CONTROL QUESTIONNAIRE (ICQ) AND REQUEST FOR DOCUMENTS (RFD)

Subject: Business Continuity Audit Campus: Audit# OUA Staff:

Campus Preparer: Date:

Campus Reviewer: Date:

Rec'd

Internal Control Question Internal Control Response (Campus) Document Request (Audit Use

Onlv)

General Environment

Ql Describe how the BC program is administered The VP of Administration & Finance has the delegated Dl Any existing organization chart depicting the (i.e., specific department or position name(s), authority by the SJSU President to be in charge of campus- organization in place for the campus BC reporting structure(s), scope/distribution of wide BCP. The Director of Internal Control (Ninh Phamhi) program. responsibilities, etc.). from the Office of the VP Administration & Finance is

(4) responsible for coordination of all BCP aspects. A Business Continuity Steering Committee (BCSC) has been ,.

established for BCP. Each divisional VP is responsible for BCP is their own area, including planning for logistical procedures, implementation, and maintenance.

Q2 Explain whether the campus has a BC Planning Yes, SJSU has a BCSC. The Committee Chair is the BC

D2 a. Correspondence or delegations of

campus coordinator mentioned in Q 1. Secondary BC authority from the President identifying Committee or, as an alternative, primary and coordinator is Dorothy Poole, A VP with the Office of the the BC planning committee and/or the

secondary persons with the responsibility for VP Administration & Finance. BCSC charter, list of primary and secondary BC coordinators.

business continuity planning activities (BC members, meeting schedule, meeting agenda, etc. are (4) Coordinators). included in the SJSU BCP Master Plan document.

b. Position descriptions and responsibilities '• of the BC coordinator(s) or a description

Business Continuity ICQ/RFD - Version 4 8/16/2010 1 of9

THE CALIFORNIA STATE UNIVERSITY OFFICE OF THE UNIVERSITY AUDITOR

EMERGENCY PREPAREDNESS (EP) INTERNAL CONTROL QUESTIONNAIRE (ICQ) AND REQUEST FOR DOCUMENTS (RFD)

Q3

Q4

a. Does the BC program overlap or interact with any other business procedures, such as emergency preparedness, safety and health, insurance and risk management, security, etc.?

b. How is this coordinated and how do these areas communicate with each other?

a. Has the campus identified BC contacts at key business units with essential functions?

b. How are these contacts involved in the BC program?

Q5 I Describe what policies and procedures the campus has in place to support the BC planning process and written plans.

Business Continuity ICQ/RFD - Version 3

The emergency preparedness (EP) function and the BC function are managed separately. They are both under the VP of Administration & Finance which facilitates easy communications. The EP function has a long-standing history, whereas the BC function is relatively new. The EP coordinator and EP manager have been involved in BCrelated communications and vice-versa.

Yes, all BC contacts are identified as senior managers in university divisions. Key business units with essential functions have been identified.

The key contacts for each essential function works with their division's BCSC representative for planning, implementation and maintenance. Further the key contacts and the BCSC members work under the oversight of their divisional VPs and the overall guidance of the VP of Administration & Finance.

We do not use policies to support planning. The full planning procedure is described in details in the binder "SJSU BCP Master Plan" that we will give to the auditor.

2 of9

D3

D4

D5

of the responsibilities of the BC planning committee. ( 4)

c. If a BC planning committee exists, then please provide a listing of current members of the BC planning committee and meeting minutes for the last two calendar or fiscal years. ( 4)

Copies of any other relevant business plans that relate to BC.

(4)

A listing of BC contacts at key business units that have essential functions. ( 4)

All policies and procedures related to BC planning including, but not limited to:

a. Business Impact Analysis and Risk Assessment of ke_y business units with

7/9/2010



Q6 I a. Describe the campus strategies for returning to normal operations after a catastrophe or emergency.

b. Are these strategies written into a specific policy or within business continuity plans (BCPs)?

Q7 I a. Does the campus have policies and procedures in place to ensure that critical information is backed-up on a regular basis to an off-site location, and that the data is recoverable?

b. If backup and recovery policies and procedures exist, have they been tested? If so, when?

Business Continuity ICQ/RFD - Version 3

(Please see full details in SJSU BCP Master Plan, Section "Concept of Operations")

Yes, they are part of the SJSU BCP Master Plan.

D6

Yes, the back-up procedure is in place and documentation is I D7 available (for: CMS, Bursar's Office, Housing, Health Center, Student Affairs).

Yes, most back-ups are done weekly, and the testing frequency varies based on needs and available manpower of different campus units

3 of9

essential functions. ( 4)

b. Development, testing and review and updating BC plans. ( 4)

c. Communication and training for BC activities. ( 4)

d. Record retention for BC records. ( 4)

Any written policy or example from a BCP showing campus strategies for resuming normal operations. ( 4)

a. Written policies and procedures for critical data back-up.(4)

b. Documentation showing the results of actual backup and recovery tests within the last two calendar or fiscal years. ( 4)

7/9/2010



Business Continuity Planning

Q8 a. Please explain how, and to what extent, the We have completed this identification in Phase 1, which D8 A single listing of all campus campus has identified and documented all is a high level top-down assessment of all campus business units that the campus has business units that are deemed essential to departments. Phase 2 will be the validation process of identified as essential to operations operations continuity (having essential or critical this identification by BCSC. continuity.( 4) functions).

Please see full methodology in SJSU BCP Master Plan. b. What is the criteria the campus uses to define an Basically, there are a series of questions to assess the

"essential function"? business impact of the function and thus determine if it is an essential function.

Q9 a. Has the campus completed a Business Impact We have completed this analysis in Phase 1, which is a D9 a. A hard copy or data file copy of Analysis for each business unit that has been high level top-down assessment of all campus the approved Business Impact identified to provide essential functions, and then departments, by the BC team in the Office of the VP for Analysis (if not already provided identified the essential functions and workflows, Administration & Finance. above).(4) the qualitative and quantitative impacts of threats

In Phase 2, the departments will develop their own b. A listing of campus-identified to essential functions, prioritized and established recovery time and/or recovery point objectives departmental BCP. This will require a bottoms-up essential business units.( 4)

for the essential functions? Business Impact Analysis to determine essential

Any relevant documents that functions, maximum allowable downtime, recovery time, C.

b. Who was responsible for the analysis, and who workflows, the qualitative and quantitative impacts of describe/document campus

participated in the process? threats to essential functions, and priority for restoration. identification of essential business units.( 4)

In Phase 3, the BCSC will compile the departmental BCPs, validate/revise as necessary to create a University BCP.

QlO a. Has the campus completed a Risk Assessment for Not yet. This assessment will be conducted in Phase 2 Dl0 A hard copy or data file copy of the each business unit that has been identified to (see SJSU BCP Master Plan). In Phase 1, a top-down approved Risk Assessment for each provide essential functions, and then identified Business Impact Analysis was completed. In Phase 2, business unit (if not already provided the vulnerabilities and threats that may impact the the BCSC will work with the various departments to above). (N/ A - But we have created campus' ability to fulfill the mission of the complete a Risk Assessment for each unit that provides the tools and the Methodology for campus and define the controls in place to reduce essential functions. In Phase 3, the BCSC will compile this)

Business Continuity ICQ/RFD - Version 3 4 of9

7/9/2010



the exposure to the vulnerabilities/threats the departmental BCPs, validate/revise as necessary to identified? create a University BCP.

b. Who was responsible for the analysis, and who participated in the process?

Ql 1 a. Has the campus completed BCPs for every Not yet. We have completed this analysis in Phase 1, Dll Hard or soft copies of the most essential business unit? which is a high level top-down assessment of all campus recent approved BCPs for each

b. Who was responsible for/who participated in departments, by the BC team in the Office of the VP for essential business unit.

developing this plan? Administration & Finance.

(N/ A - But we have created the In Phase 2, the departments will develop their own tools and the Methodology for this) departmental BCP. This will require a bottoms-up Business Impact Analysis to determine essential functions, maximum allowable downtime, recovery time, workflows, the qualitative and quantitative impacts of threats to essential functions, and priority for restoration.

In Phase 3, the BCSC will compile the departmental BCPs, validate/revise as necessary to create a University BCP.

Ql2 a. Does the campus have a campus-wide written Yes. It has EP and BC features. It was updated last year Dl2 a. A copy of the campus avian flu plan for a potential avian pandemic influenza? If in 2009 and is currently under review. pandemic plan. ( 4) so, does the plan have emergency preparedness

The current 2009 Plan has incorporated several of the b. In 2007 James Lee Witt features, or is it entirely business continuity related, or both? When was the last time that the

2007 James Lee Witt Associates' assessment of the Associates reviewed Pandemic

avian pandemic influenza plan was formally SJSU Plan. The 2010 Plan (currently under review) will Influenza Business Continuity

reviewed and updated? incorporate the remaining recommendations from the Plans for the CSU and made 2007 James Lee Witt Associates' assessment. individual campus assessments.

b. In 2007 James Lee Witt Associates reviewed How has the campus responded Pandemic Influenza Business Continuity Plans to and addressed the Witt for the CSU and made individual campus Associates suggestions? assessments. How has the campus responded to and addressed the Witt Associates suggestions?


7/9/2010



Business Continuity Plan Testing

Ql3 Describe the process used for monitoring tests of Full description is detailed in SJSU BCP Master Plan Dl3 a. A schedule (list) showing both campus BCPs, and how the campus assures that all Binder, Section 4 "Testing and Validation ofBCP completed and upcoming BCP plans will meet their testing objectives and Manual" and Section 5 "On-going Maintenance and tests. ( 4) requirements. Please include discussion of the Testing".

b. Schedules showing seven year following: testing cycles for each business

a. How often does the campus perform tests of its unit with essential operations, or business unit BCPs, and who is responsible for plans for such testing. ( 4) ensuring these tests are performed?

b. Do the business units have schedules and plans th~t'\ will ensure that their entire BC Plan will be tested within 7 years?

C. Has there been an actual event that would necessitate activation of the BCP?

Ql4 a. Do business units document BCP tests with either a Yes - Full description is detailed in SJSU BCP Master Dl4 a. Full documentation of test results corrective action plan or an after action report? Plan Binder, Section 4 "Testing and Validation ofBCP and lessons learned, in after

b. If corrective action plans or after action reports are Manual" and Section 5 "On-going Maintenance and action reports or corrective action Testing". plans, for any and all BCP tests

written and saved, how does the campus follow-up completed within the last two on and resolve issues identified for correction, and calendar or fiscal years. (N/A) are corrective actions documented?

If corrective action plans or after-action reports are b. Any documentation showing that

C. the campus acted upon and written for tests, are they reviewed by the head corrected any deficiencies noted business unit and the BC Coordinator or by the in the corrective action plans or Business Continuity Planning Committee? after action reports. (N/ A)


7/9/2010



Business Continuity Plan Maintenance

Q15 How often are BCPs reviewed and updated to ensure Annually. Section 5 of BCP Master Plan contains full DIS Change history/past revisions of BC that they are current? Who is responsible for details ofBCP Maintenance & Testing. plans. (N/ A) performing this review?

Q16 Describe the process used for monitoring tests of Section 5 of BCP Master Plan contains full details of D16 Any relevant testing schedules (note, campus BCPs, and how the campus assures that all BCP Maintenance & Testing. this may have already been provided plans will meet their testing objectives and above, and if so please make reference requirements. here). (See Q13)

Business Continuity Plan Communications

Q17 Describe the business continuity program Section 1 of BCP Master Plan contains full details of D17 Evidence of business continuity communications process. Consider the following: framework for BCP communication and management. program planning and discussions

a. How often, and by what methods (phone, email, Communication methods will be varied. For example, between the various involved parties.

meetings), are communications made between the the BCSC meets monthly, and written minutes are Acceptable types of evidence would

Business Continuity Coordinator (BCC) and the prepared by the BC coordinator and sent to the BCSC include e-mail communications,

Business Continuity Planning Committee (BCPC) if via email. A BCP website is maintained. meeting minutes, dated notes, etc.

one exists. Communications ( email, phone, in-person) will be

b. How often, and by what methods, are ongoing with the BCSC members and their respective

communications between the BCC and business stakeholders (i.e., Division VP, managers of key

units and/or between the BCPC and business units. business departments, etc.).

Q18 a. Describe communications and arrangements with Several mutual aid agreements have been put in place D18 a. Any examples of agreements outside agencies and emergency personnel that have with outside agencies to ensure continuity of (mutual aid agreements) with

operations. Basically these agreements are for law


7/9/2010



been made to ensure continuity of operations. enforcement and purchasing emergency supplies. outside agencies.

b. Describt! liges of communication withJh~campus The secondary BC Coordinator and BCSC member for b. Any examples of agreements or .Em~rge~cy Ma11ager, and wnedier p~riodic · .. ·· the Administration & Finance Division is Dorothy internal communications with the meetings or discussions are held.,,e,/Are·· Poole. She has maintained ongoing communications campus Emergency Manager. communications between the Emergency Manager with the Emergency Coordinator and Emergency and BCC open and ongoing? Manager. All BCSC members are responsible for

-····-""'" .... ,,-•-····--\ ···-

maintaining communications with their respective emergency preparedness personnel ( e.g., Building Coordinators).

Training and Awareness

Q19 a. Has BCP training (initial training and "refresher We are researching vendors of BCP training. In Phase Dl9 a. Copies of training presentation, or training") been provided to those individuals 2 of the current inception cycle, we will train all course syllabus, or any other responsible for developing and implementing representatives in BCSC, and all the managers that course materials that show BCPs? BCSC recommends. evidence off the topic(s) trained.

b. When was the training provided and who attended? The VP of Administration & Finance will fund this (4)

Who is responsible for scheduling and providing the training. The campus BCP coordinator is responsible b. Sign-in sheets, logs, training

C. for scheduling the training. records, or any other training?

The BC training program exists (see SJSU BCP documentation of training

d. Does a BC training program exist, and has it been Master Plan Section 6), but it is not formalized attendees. (N/A)

formalized? because it needs BCSC feedback and approval in C. Evidence that a training program Phase 2. is in place and formalized, such as

a training schedule and/or program policy or description. ( 4)


7/9/2010



Record Retention

Q20 a. Describe the record retention policies We follow the Chancellor's Office guidelines for records D20 a. Any available policy or and procedures for business continuity retention. procedures for business planning documentation, including both continuity record retention. ( 4) hard-copy records and data file records.

b. Any written description or We plan to use the campus-wide imaging capability to scan and b. Describe record scanning and imaging

post essential BCP documents to the SJSU BCP website. manual for specialty software procedures if used by the campus for used. ( documentation available business continuity purposes. at Imaging Project)

C. Describe any specific software is used We don't plan to use specific software for BCP records keeping for recordkeeping (for example, the at this time. We assessed the UC Berkeley BCP software "Kuali Ready" software licensed by UC (restarting UC Berkeley) but determined there were too many Berkeley.) unresolved systems issues ( e.g., maintenance and upgrades) for it

to work for SJSU. We will use the database feature of the Campus Imaging Project for recordkeeping.

xx END OF ICQ/RFD END OF ICQ/RFD xx END OF ICQ/RFD


xx

7/9/2010

business continuity planning (bcp) master depository book ... book a... · the current 2009 plan...

Documents